Trojan Bitcoinminer

Dla specjalistów Bezpieczeństwo
#1

Witam, dostał mi się na dysk w folderze temp trojan o nazwie bitcoinminer (czy jakoś tak).

Proszę o pomoc bo mój antywirus (avira antivir) znajduje go i kasuje ale po chwili on pojawia się znowu.

podaję link do raportu z OTL

http://wklej.org/id/1824435/

i link do raportu extras

http://wklej.org/id/1824436/

#2

Farbar Recovery Scan Tool - Raport obowiązkowy

#3

ok rozumiem, oto raporty z FRST

FRST - http://www.wklej.org/id/1824454/

shortcut - http://www.wklej.org/id/1824455/

addition - http://www.wklej.org/id/1824456/

pomocy :frowning:

#4

Wklej do systemowego notatnika i zapisz jako plik tekstowy o nazwie fixlist :

CloseProcesses:
HKU\S-1-5-21-2776563168-3878277077-1994203515-1000\...\Run: [tsiVideo] = C:\Windows\SysWOW64\rundll32.exe C:\Users\Marcin\AppData\Local\Temp\mdi364.dll,dalmat ===== UWAGA
Startup: C:\Users\Marcin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fixer.lnk [2015-10-24]
ShortcutTarget: fixer.lnk - C:\Users\Marcin\AppData\Roaming\fixer.vbs ()
BootExecute: PDBoot.exeautocheck autochk *
SearchScopes: HKLM - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2776563168-3878277077-1994203515-1000 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
2015-10-24 13:57 - 2015-10-24 13:57 - 00616448 __RSH C:\Windows\SysWOW64\upnphostg.dll
2015-10-24 06:41 - 2015-10-24 06:41 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{C3D223FF-D589-4CC0-802D-9D439EE9956C}
2015-10-24 06:35 - 2015-10-24 06:35 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{F2E1FE9B-4CC7-42B6-9601-479C483F8B88}
2015-10-23 14:44 - 2015-10-23 14:44 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{4C531F81-5A7C-43F2-B88D-79EA9A4AF0FC}
2015-10-23 05:19 - 2015-10-23 05:19 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{32FD6458-44B1-4A84-88A7-7FD2E2320D7D}
2015-10-22 21:00 - 2015-10-22 21:00 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{6B00AAF3-FCBC-4329-B470-3DAF83E4C6B3}
2015-10-22 19:10 - 2015-10-22 19:10 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{039891CD-C0E3-4E66-9B11-61618B66D5DA}
2015-10-22 05:18 - 2015-10-22 05:18 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{B6C100DC-6BCC-4169-B4FE-166C634A4668}
2015-10-21 20:31 - 2015-10-21 20:31 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{70AE482E-52EA-45DD-9DA5-8F488F8EDF65}
2015-10-21 05:13 - 2015-10-21 05:13 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{2050E4B4-6A30-47A6-9FCA-570E9309C589}
2015-10-20 16:40 - 2015-10-20 16:40 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{7451EB80-C834-4B12-A0C2-A3EC43CE0EF4}
2015-10-19 19:13 - 2015-10-19 19:13 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{5D9CD069-2FA0-4ED6-9E9B-462ACFC8FE82}
2015-10-19 16:11 - 2015-10-19 16:11 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{97D8FC34-F457-4B3D-9129-F42C7AE8BB5C}
2015-10-18 18:34 - 2015-10-18 18:34 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{7DBF4982-47F5-442A-BB69-C6EFC707289D}
2015-10-18 13:00 - 2015-10-18 13:00 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{6A6474FE-1F9C-4047-9C29-DD3667DA2117}
2015-10-17 20:59 - 2015-10-17 20:59 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{55E22684-AE44-4D45-A6D9-89997399C0C0}
2015-10-17 07:36 - 2015-10-17 07:36 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{9446AE91-AC95-4225-9A6A-788D9362D483}
2015-10-16 05:25 - 2015-10-16 05:25 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{98BD3181-8726-4BAB-8C7D-9934E804D106}
2015-10-15 16:01 - 2015-10-15 16:01 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{26A147D6-0355-448D-A500-4B9F0322E8E9}
2015-10-14 18:39 - 2015-10-14 18:39 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{BD6C0120-1367-46DE-A9F4-772F556D4177}
2015-10-14 05:28 - 2015-10-14 05:28 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{7E6E73B6-380E-4124-BE6E-52F6BCAF9519}
2015-10-13 16:04 - 2015-10-13 16:04 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{495C94D3-BC73-408B-8AFE-BDA989412223}
2015-10-12 20:39 - 2015-10-12 20:39 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{DEFC16A6-DAC1-49A7-8D76-106E0D9D7E14}
2015-10-12 05:02 - 2015-10-12 05:03 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{C906997B-B83E-4987-87D6-44B487917B96}
2015-10-11 22:26 - 2015-10-11 22:26 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{A5860194-85C3-4D5B-A87B-B749CDFF0A56}
2015-10-11 19:52 - 2015-10-11 19:52 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{546D1CDC-C6C6-4D0C-A12C-641CC6483C66}
2015-10-11 07:29 - 2015-10-11 07:29 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{946A84E1-A167-4FB3-9651-D131825D17DA}
2015-10-10 17:38 - 2015-10-10 17:38 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{74677869-23EC-4749-9FFD-FE39E496613B}
2015-10-10 06:36 - 2015-10-10 06:36 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{56F0E5FD-F6D7-43C3-84DB-34DC8D242910}
2015-10-09 21:11 - 2015-10-09 21:11 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{C6C3A930-D33D-400D-83EA-81A46982BB2A}
2015-10-09 17:04 - 2015-10-09 17:05 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{3ABB1728-9245-4F3A-9A28-1F0A66414DDF}
2015-10-09 16:54 - 2015-10-09 16:54 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{DC027A1C-43FE-440C-8342-5EF25D968534}
2015-10-09 04:39 - 2015-10-09 04:39 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{2CFCB0F8-1B91-4D64-9148-370B78C29212}
2015-10-08 20:20 - 2015-10-08 20:21 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{7C6D98CC-254D-41FF-BDEE-314A0FE46214}
2015-10-08 05:56 - 2015-10-08 05:56 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{13090480-3AF9-4542-978C-BC5F4BF02D11}
2015-10-08 05:20 - 2015-10-08 05:20 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{6BDF747F-302A-4E82-8D7C-5CC3D93E31DA}
2015-10-07 16:12 - 2015-10-07 16:12 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{707959AF-39FD-4385-BEC9-7E188431D261}
2015-10-07 05:19 - 2015-10-07 05:19 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{A39FBB58-06EF-4E10-83C2-E0E2080C99B3}
2015-10-06 15:53 - 2015-10-06 15:53 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{2CFEEC73-F590-4AE7-B185-99EE0C1F71FA}
2015-10-06 05:15 - 2015-10-06 05:15 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{F9B21DFC-5EB1-4B1B-B225-C3DE2A8D0BB9}
2015-10-05 09:48 - 2015-10-05 09:48 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{F6619371-5713-4BD2-8525-FA2151C00857}
2015-10-04 21:47 - 2015-10-04 21:48 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{BD772640-06EC-474E-B906-F731A3EBEC1B}
2015-10-04 07:19 - 2015-10-04 07:19 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{9978795B-4207-4E25-93AB-13976BB54510}
2015-10-03 11:30 - 2015-10-03 11:30 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{E0A7CF54-107D-46AA-B96F-35F54663EFA6}
2015-10-02 06:02 - 2015-10-02 06:02 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{99B11603-E590-4E05-A4A7-F39605934FC6}
2015-10-01 17:38 - 2015-10-01 17:39 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{E7D601B4-C1BF-4D61-BDFB-C12B8B9CC13A}
2015-10-01 05:20 - 2015-10-01 05:20 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{D0E02C57-E636-4CA0-B750-8BB503C94309}
2015-09-30 07:41 - 2015-09-30 07:41 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{B661E122-3673-403D-8B04-3D347800EE9B}
2015-09-29 16:02 - 2015-09-29 16:02 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{6D4893A9-00EF-4E7B-88B0-57627E9B0422}
2015-09-29 15:53 - 2015-09-29 15:53 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{54760D49-421C-44C0-99EE-B0647BE3C502}
2015-09-28 19:46 - 2015-09-28 19:46 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{1F4BF304-1D50-41F4-91EF-5B9FEF3462D8}
2015-09-28 05:16 - 2015-09-28 05:17 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{5025B6E1-61EB-4A69-B0C4-7697885F291B}
2015-09-27 16:53 - 2015-09-27 16:53 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{A2D19AFD-1511-4D9B-A39B-C41FE4904115}
2015-09-26 20:37 - 2015-09-26 20:37 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{4BFBBF20-4D8C-4E46-95C9-594420BE25AD}
2015-09-26 10:54 - 2015-09-26 10:54 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{AC8E17D5-28F3-4E8F-95DB-9CAB7050CB7C}
2015-09-25 20:07 - 2015-09-25 20:07 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{09D9727A-AA92-44DE-8FC7-65FCEC47AB78}
2015-09-25 13:16 - 2015-09-25 13:17 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{7714033B-C3D8-41F6-8CCB-86E2976E9C9C}
2015-09-24 16:13 - 2015-09-24 16:13 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{7113137A-088F-4289-B884-3B1BB826818D}
2015-09-24 05:28 - 2015-09-24 05:28 - 00000000 ____ D C:\Users\Marcin\AppData\Local\{C3C64548-953D-4DC1-BD52-638B18A16885}
Task: {3D08D219-3E3A-47D3-8AEE-87869F515EB1} - System32\Tasks\Wbbq = Rundll32.exe "C:\Windows\SysWOW64\upnphostg.dll",kbggzkwu
Task: C:\Windows\Tasks\Wbbq.job = C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\upnphostg.dll
EmptyTemp:

Uruchom FRST i kliknij Napraw (Fix). Pokaż raport z usuwania Fixlog.

 

#5

raport z fixlog - http://www.wklej.org/id/1824497/

nowy raport z FRST - http://www.wklej.org/id/1824501/

mam nadzieję że raport FRST się nadpisał :wink:

narazie avira nie wyskoczył z żadnym wirusem więc dziękuję z góry.

W razie czego napiszę gdyby jednak nie pomogło.

 

#6

Skasuj folder C:\FRST

#7

ok nic już nie wyskakuje, dziękuję jeszcze raz.